Security investigation hands-on workshop 2018

© 2017 SPLUNK INC.© 2017 SPLUNK INC.
Splunk for Security
Introductory Workshop
<Enter Presenter’s Name>
May 2018 | Version 1.2 (0425)
WIFI Access Information
● SSID : VENUE_SSID
● Password : VENUE_Pass

© 2017 SPLUNK INC.
During the course of this presentation, we may make forward-looking statements regarding future events or
the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results could
differ materially. For important factors that may cause actual results to differ from those contained in our
forward-looking statements, please review our filings with the SEC.
The forward-looking statements made in this presentation are being made as of the time and date of its live
presentation. If reviewed after its live presentation, this presentation may not contain current or accurate
information. We do not assume any obligation to update any forward-looking statements we may make. In
addition, any information about our roadmap outlines our general product direction and is subject to change
at any time without notice. It is for informational purposes only and shall not be incorporated into any contract
or other commitment. Splunk undertakes no obligation either to develop the features or functionality
described or to include any such feature or functionality in a future release.
Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in
the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2017 Splunk Inc. All rights reserved.
Forward-Looking Statements

© 2017 SPLUNK INC.
Things needed for this workshop
● Your own laptop - Internet accessible
● Verify Wifi Access
● Verify Lab environment access.
● Required Materials
Please register on-site
● Click on this link
https://bit.ly/2KtLfBY
Credentials (If challenged)
● ID : splunk
● Password : !splunk!
Let’s Get Ready!
Wifi Access
● SSID : ENTER_VENUE_NETWORK
● Password : ENTER_VENUE_PASS
Materials you should have
● Workshop presentations
○ https://bit.ly/2juiKrx
● Workshop Environment Link Directory
○ https://bit.ly/2HSHAvW
Test your access to environment
● Click on this link to see if you are ready.
https://bit.ly/2HLK6bm

© 2017 SPLUNK INC.
Presentation Legend / Hands-on Guide
Visual Type Description
https://bit.ly/2Jghx1N Short-cut URL links to each exercise
Highlight boxes, presenter will explain
more on these.
Click Instruction with order (x), Follow
the sequence of the action.
Scroll Down InstructionScroll
Down
(1) CLICK (2) CLICK
Please be familiarized with the following legend for you to effectively follow the content and
the instructors.

© 2017 SPLUNK INC.
Environment Access Test Link
https://bit.ly/2HLK6bm (1) CLICK
(2) CLICK
(3) IF SEE DATA COMING
IN LIKE THIS,
YOU ARE READY TO GO!
GO AHEAD AND SIP YOUR COFFEE.

© 2017 SPLUNK INC.
▶ Section 1 : Basic Posture and Monitoring
▶ Section 2 : Intro to Investigation
▶ Summary and Next Steps
Session Agenda
Time Schedule :
- 08:30 ~ 09:30
- 09:30 ~ 09:40 Break
- 09:40 ~ 10:40
- 10:40 ~ 10:50 Break
- 10:50 ~ 11:50
- 11:50 ~ 12:00 Q&A

© 2017 SPLUNK INC.
Analytics-Driven Security: Portfolio
Premium Solution
Enterprise Security
3rd Party Apps &
Add-ons (590+)
Premium Solution
User Behavior Analytics
Search and
Investigate
Monitoring &
Alerting
Dashboards
and Reports
Incident &
Breach Response
Splunk Security Apps & Add-ons
Network data
RDBMS (any) data Windows host data
Exchange data
Analytics for Hadoop
PCI ComplianceSecurity Essentials
App for AWS
ML Toolkit
Google Cloud
Microsoft Cloud
Windows Infrastructure
Discover
Anomalous
Behavior
Detect Unknown
Threats
Automation &
Orchestration
Threat
Detection
Security
Operations
Platform for Operational
Intelligence

© 2017 SPLUNK INC.
- Part I
- Presentation: Overview of basic posture and monitoring
- Centralizing analysis, 4 key data sources
- Hands-On: UI walkthrough for each data source
- Splunk Enterprise -- partner apps
- Splunk ES -- specific dashboards
- Part II
- Presentation: Investigation basics
- Importance of investigations, Developing an investigative mindset
- Hands-On:
- Splunk Enterprise -- copy/paste SPL within exercises for login, endpoint, network
- Splunk ES -- walkthrough of example investigative workflow
How We’ll Explore
Splunk Enterprise and Splunk Enterprise Security (ES)

© 2017 SPLUNK INC.
Basic Posture and
Monitoring
4 Key Data Sources

© 2017 SPLUNK INC.
Centralizing Analysis of Point Layers
Problem Solution
Protect Endpoint Antiviruses: Symantec, McAfee
Protect Network: Unauthorized Traffic Firewalls/Web Filter: Palo Alto, Cisco
Control User Access Authentication/2-Factor: AD, RSA, Badges
Network Attacks, Stolen Information, Phishing IDS/IPS: Cisco, Palo Alto Email Filter: Cisco, Proofpoint
Unpatched Systems, Versions With Bugs Scanners/Patching: Nessus, SCCM
Threat IntelligenceIndicators of Malicious Activity

© 2017 SPLUNK INC.
Endpoint Access/Identity Network Threat
Intelligence
4 Ways to Improve Posture Quickly

© 2017 SPLUNK INC.
Understanding Your Endpoints
Processes, File Info / Access, User Activity
Endpoints
End Point System:
Windows Sysmon,
Network, File Info
Endpoint Security:
Virus, Malware, Spyware,
Whitelisting, Behaviors
What You Discover
❑ Frequency of application executions, unique applications
❑ Non-corporate approved applications
❑ Known malicious executables
Benefit
❑ Visibility into application executions
❑ Understanding of unknown applications – whom and
where and frequency

© 2017 SPLUNK INC.
Posture – Endpoint
Splunk Enterprise

© 2017 SPLUNK INC.
Environment Access : Endpoint Symantec App
Security Online
Experience
Hands on Session
Access URL :
https://bit.ly/2Jghx1N
SCREEN CAPTURE
(To be provided)

© 2017 SPLUNK INC.
Endpoint : Symantec Endpoint Protection Analysis
Scroll
Down

© 2017 SPLUNK INC.
(1) CLICK
(2) CLICK

© 2017 SPLUNK INC.
(2) CLICK
(1) CLICK

© 2017 SPLUNK INC.
(1) CLICK
(2) SELECT
ENTER

© 2017 SPLUNK INC.
Posture – Endpoint
Splunk Enterprise Security

© 2017 SPLUNK INC.
Environment Access : ES Endpoint Domain
Security Online
Experience
Hands on Session
Access URL :
https://bit.ly/2qNGriO
SCREEN CAPTURE
(To be provided)
1-CLICK
2-CLICK
3-CLICK

© 2017 SPLUNK INC.
Endpoint : Malware Center

© 2017 SPLUNK INC.
(3) CLICK
Endpoint : Malware Center
(1) SELECT (2) SELECT

© 2017 SPLUNK INC.
Endpoint : Malware Search

© 2017 SPLUNK INC.
Endpoint : System Center
(1) TYPE IN (2) CLICK

© 2017 SPLUNK INC.
Endpoint : Update Center

© 2017 SPLUNK INC.
Endpoint : Endpoint Changes

© 2017 SPLUNK INC.
Access and Identity
Who, Why and Credential Abuse
Access/Identity
Windows Security Events:
Active Directory and
Authentication Logs
What You Discover
❑ Credentials used in multiple locations, or shared by users
❑ Admin credential abuse
❑ Login frequencies, users moving around quickly
❑ Users failing authentications trying to discover
internal/external resources
Benefit
❑ Uncover unusual login patterns
❑ Track user behavior

© 2017 SPLUNK INC.
Posture – Login
Activity
Splunk Enterprise

© 2017 SPLUNK INC.
Environment Access : Access - Cisco ISE App
Security Online
Experience
Hands on Session
Access URL :
https://bit.ly/2vy5zyB
SCREEN CAPTURE
(To be provided)

© 2017 SPLUNK INC.
Access / Authentication : Cisco ISE App
CLICK

© 2017 SPLUNK INC.
Scroll
Down

© 2017 SPLUNK INC.
https://bit.ly/2HAkTQj
(1) CLICK
(2) CLICK
(3) CLICK

© 2017 SPLUNK INC.
(1) ADD / ENTER

© 2017 SPLUNK INC.
(1) ADD / ENTER
(2) CLICK

© 2017 SPLUNK INC.
POP QUIZ
How can you filter failed VPN sessions only
from outside of “United States”?
Hint add “search NOT” in between
a couple of commands..

© 2017 SPLUNK INC.
Posture – Login
Activity

© 2017 SPLUNK INC.
Environment Access : ES Access & Identity Domain
Security Online
Experience
Hands on Session
Access URL :
SCREEN CAPTURE
(To be provided)
CLICK
CLICK
CLICK

© 2017 SPLUNK INC.
Access : Access Center

© 2017 SPLUNK INC.
Access : Access Center
(2) CLICK

© 2017 SPLUNK INC.
Access : Account Management

© 2017 SPLUNK INC.
Access : Default Account Management

© 2017 SPLUNK INC.
Access (Example) : SaaS Service Access

© 2017 SPLUNK INC.
Identity : Asset Center
CLICK
CLICK CLICK

© 2017 SPLUNK INC.
Identity : Identity Center
CLICK
CLICK CLICK

© 2017 SPLUNK INC.
Network Activity
Detecting Exfiltration and Unusual Communication
What You Discover
❑ Who talked to whom, traffic volumes (in/out)
❑ Malware download/delivery, C2, exfiltration
❑ Horizontal and vertical movement
Benefit
❑ Determine how threats got in
❑ Systems and endpoints communicating internally
❑ Detect intellectual property theft, insiders
Network
Network Access:
ForeScout
Firewall:
Cisco, Palo Alto
Network:
DNS – Splunk Stream, DNS
Server

© 2017 SPLUNK INC.
Posture – Network
Splunk Enterprise

© 2017 SPLUNK INC.
Environment Access : Palo Alto Networks App
Security Online
Experience
Hands on Session
Access URL :
https://bit.ly/2K34bY9
SCREEN CAPTURE
(To be provided)

© 2017 SPLUNK INC.
Palo Alto Networks : All Incident

© 2017 SPLUNK INC.
Posture – Network

© 2017 SPLUNK INC.
Environment Access : ES Network Domain
Security Online
Experience
Hands on Session
Access URL :
SCREEN CAPTURE
(To be provided)
CLICK
CLICK
CLICK

© 2017 SPLUNK INC.
Network : Traffic Center

© 2017 SPLUNK INC.
Network : Intrusion Center

© 2017 SPLUNK INC.
Network : Vulnerability Center

© 2017 SPLUNK INC.
Network : Web Center

© 2017 SPLUNK INC.
Threat Intelligence
Known and Early Warning Indicators
What You Discover
❑ High risk behaviors and patterns
❑ Undetected/unblocked malware and command & control activities
❑ Known indicators of compromise
Benefit
❑ Early warning of malicious activity
❑ Detect indication of C2 channels
❑ Confirm whether traffic going to compromised or watch-listed sites
❑ Compromised systems communicating with each other
❑ Compromised endpoints
Threat Intelligence
Threat Feeds: Public, Free,
Private, Paid or Custom –
ThreatConnect, Anomali
Firewall: Cisco, Palo Alto
Neworks

© 2017 SPLUNK INC.
Posture – Threat
Intelligence
Splunk Enterprise

© 2017 SPLUNK INC.
Environment Access : Custom Threat Intel App
Security Online
Experience
Hands on Session
Access URL :
https://bit.ly/2HAkInY
SCREEN CAPTURE
(To be provided)

© 2017 SPLUNK INC.
Custom App (Sec Inv Quick Start) : Network Traffic Overview
CLICK

© 2017 SPLUNK INC.
HIGHLIGHT HIGHLIGHT

© 2017 SPLUNK INC.
Posture – Threat
Intelligence

© 2017 SPLUNK INC.
Environment Access : ES Threat Intel Domain
Security Online
Experience
Hands on Session
Access URL :
SCREEN CAPTURE
(To be provided)
`
CLICK
CLICK
CLICK

© 2017 SPLUNK INC.
Threat Intelligence : Threat Activity

© 2017 SPLUNK INC.
Threat Intelligence : Threat Artifacts

© 2017 SPLUNK INC.
Environment Access : ES Threat Intel Domain
Security Online
Experience
Hands on Session
Access URL :
SCREEN CAPTURE
(To be provided)
`
CLICK
CLICK

© 2017 SPLUNK INC.
Threat Intelligence : Risk Analysis

© 2017 SPLUNK INC.
Investigation Basics

© 2017 SPLUNK INC.
Alert
Indicator
Data
Security Technologies Are Designed to Detect
Bad/Suspicious Activity
Endpoint
Network
Threat
Intelligence
Access/Identity
Possibilities:
▶ Data Breach
▶ Infection(s)
▶ Account Takeover
▶ Application Fault
▶ Misconfiguration
▶ Missing patch
▶ User Error
▶ Other (Ignore)
Alert
Indicator
Data
Endpoint
Network
Threat
Intelligence
Access/Identity

© 2017 SPLUNK INC.
Importance of an Investigative Mindset
“Investigate” – gather data, analyze, pinpoint digital evidence
If each alert takes
10 min to investigate...
▶ Helps anyone handling alerts
▶ Gain control of posture
• Old way – “escalate or ignore”
• New way – find out what is
actually going on
* assumes 14 – 28 cases in a shift
If you reduce to 5 minutes
If you handle 100 alerts a month
(5 alerts a day, 20 days in month)
100x10 = 1,000 min/60 = 16 hours
100x5 = 500 min/60 = 8 hours
You get a day back (8 hours)

© 2017 SPLUNK INC.
Developing an Investigative Mindset
What
happened?
Who was
involved?
When did it
start?
Where was
it seen?
How did it
get in?
How do I
contain it?
ALERT
What specific
questions
do I want
answered?
Where do I look?What is the logic /
methodology to
apply?
What’s an
example?

© 2017 SPLUNK INC.
Investigation
Splunk Enterprise

© 2017 SPLUNK INC.
Investigation Session 1 - Authentication
Security Online
Experience
Hands on Session
Access URL :
https://bit.ly/2rhdgF7
SCREEN CAPTURE
(To be provided)

© 2017 SPLUNK INC.
Investigation -- Login Activity

© 2017 SPLUNK INC.
The Splunk platform enables security analysts to quickly identify the root cause of security incidents and make informed decisions
about how to remediate an issue. This Hands-on Experience enables you to use Splunk in a set of security-
relevant real-world exercises.
For the first phase of the investigation, Detection, we will use Splunk SPL to analyze authentication
failures to expose threats.
To get started, click "View Demo Video" to watch a demo session and click on "Launch Online Session" to
open a Splunk online session and follow along with the real-world exercises.
SECURITY INVESTIGATION WITH SPLUNK : Exercise 1, Detection

© 2017 SPLUNK INC.
SEARCHING FOR AUTHENTICATION FAILURES :
STEP 01 : Type fail* password into the Splunk search bar.
Identify patterns of authentication failures across the entire system to detect potential bad actors attempting to gain
access to your environment. Start by looking for events that contain references to password failures.
fail* password
As you type fail, Splunk platform shows terms that match fail. This can help you refine your search.
Use a wildcard (*) to get results for any event that contains fail, including fails, failed and failures for password.
Select one of the matching terms that appear as you type to find events that match the specified criteria, or search
only for password to see events that just
STEP 02 : Select All time in the time range picker and click Search or press Enter to search.

© 2017 SPLUNK INC.
STEP 03 : Review the search results. This search returns all failed system access attempts
across the data in Splunk platform.
Approximately 2,550 events match fail* password, which means that there are 2,550 failed authentication attempts in your environment. The
search results show us the following:
• Timeline : Shows the distribution of matching events over time as a histogram of events. You can zoom in and out of timeframes to understand
the distribution of events over time.
• Time range picker : Specify the time period for the search.
• Fields sidebar : Shows the fields extracted from the authentication events in your search results.
• Events view : Displays the raw events with the matching search terms highlighted. By default, the most recent event is listed first.

© 2017 SPLUNK INC.
STEP 04 : Review the data types to see which types of systems have authentication failures.
Click sourcetype to see the list of data source types.
These authentication failures occurred on Windows, Linux, database, and file server systems.
With this one search you can identify authentication failures across many different systems in your environment.

© 2017 SPLUNK INC.
REVIEW THE FIELDS IN THE SEARCH RESULTS :
Next, you want to identify the fields that help you analyze failed authentication attempts.
You want to answer the following questions :
• On which systems are the failed access attempts occurring?
• From where or whom are the failed access attempts originating?
• With which accounts are the failed access attempts occurring?
After identifying the helpful fields for your analysis, you can format the search results as a
table to more easily scan the aggregated search results.

© 2017 SPLUNK INC.
STEP 05 : Mouse over the Fields sidebar and click the dest field. Click Yes add it to the
selected fields and review the Top 10 Values.
The dest field shows you servers or hosts accessed by the assets in your environment. You can use the dest field to identify the servers being
targeted by failed authentication attempts.
There are more than 60 different hosts being accessed by the assets in your environment. The destination ECOMMERCE-03 has more than 1400
authentication failures, the server AD-019 has several hundred authentication failures, and several other hosts show authentication failures.

© 2017 SPLUNK INC.
STEP 06 : Mouse over the Fields sidebar and click the src field. Click Yes to add it to the
The src field contains the assets that authentication failures are coming from.
The host 10.11.36.20 has more activity than other hosts with password failures, and is worth investigating further. You can identify the host
STORE0329POS004 as a point of sale server based on the name. It has a troubling number of authentication failures for a host involved in credit
card data transactions.

© 2017 SPLUNK INC.
STEP 07 : Mouse over the Fields sidebar and click the user field. Click Yes to add it to the
The user field indicates which target users have the highest number of authentication failures.

© 2017 SPLUNK INC.
ANALYZE THE FAILED AUTHENTICATION ATTEMPTS :
After searching for authentication failures and reviewing the originating hosts (src), destination hosts
(dest), and involved users (user), the next step is to analyze the data. You want to determine which
users on which hosts are attempting to log in to which destination hosts. Analyze the authentication
failures with simple statistics.
• Origin of access (src)
• Target system (dest)
• Users on the target system (user)
• Type of system (sourcetype)

© 2017 SPLUNK INC.
STEP 08 : In the Splunk search bar, Append | stats count by src, dest, sourcetype, user to
your existing search, then press the Enter key or click Search.
fail* password | stats count by src, dest, user, sourcetype
This search aggregates the number of authentication failures by the origin of the attempt (src), target system
(dest), user attempting to log in to the target system (user), and the type of system (sourcetype).
The stats command calculates the total number of authentication failures associated with the src, dest,
and user account used to access the destination system.
(1) ADD / ENTER

© 2017 SPLUNK INC.
STEP 09 : Multiple failed authentication attempts are more of a threat than just one. Modify the search to
look for hosts with more than two failed authentication attempts. Sort the attempts to see the highest
number of attempts first. Append | sort – count | where count > 2 to your search, then press
the Enter key or click Search.
fail* password | stats count by src, dest, user, sourcetype | sort – count | where count > 2
You can now review the most critical failed authentication attempts in your environment and investigate further.
(1) ADD / ENTER

© 2017 SPLUNK INC.
EXERCISE 1 ASSESSMENT :
Identify patterns of authentication failures across the entire system to detect potential bad actors attempting to gain
access to your environment. Start by looking for events that contain references to password failures.
CASE 01 : Someone has tried to access the ECOMMERCE-03 host more than 1400 times. The high number of
failed authentication attempts could indicate a password enumeration attack against the ECOMMERCE-
03 server. Given the high number of attempts, it is most likely a scripted attack.

© 2017 SPLUNK INC.
CASE 02 : A single host (10.1.21.153) with a pattern of failed login attempts using multiple user accounts most likely
indicates a compromised system under the control of an attacker. The attacker is likely attempting to infiltrate the
network by logging in to other systems, a pattern indicating attempts at lateral movement. This potentially infected host is
attempting to gain access to the DATABASE-001 server, which likely contains sensitive data.

© 2017 SPLUNK INC.
STEP 10 : View visual analysis of results using “Parallel Coordinate” Visualization. Select
Visualization and Parallel Coordinate.
(1) CLICK
(2) CLICK

© 2017 SPLUNK INC.
Visual representation of the analysis clearly shows the entity relationships of authentication failure activities from
10.1.21.153. Visualization’s one-to-many representation clearly depicts lateral movement and attempts to DATABASE-
001 host shows the user DBADMIN logins attempts.
(1) DRAG
& SELECT

© 2017 SPLUNK INC.
DRILL DOWN INTO AN INVESTIGATION :
STEP 01 : From the analysis table that you saw when you searched " fail* password | stats count by src,
dest, sourcetype, user | sort – count | where > 2 ", click the src value for a search result with the
host 10.1.21.153, then click View Events to see all the authentication failure events associated with that host.
In this exercise, you want to determine how a malicious host attempted to gain access to a target machine in your
network. Continue to investigate the host 10.1.21.153, which attempted to access multiple web servers and a
critical database server.
You can easily pivot from a set of search results to a new search on a specific host.
(1) CLICK
(2) CLICK

© 2017 SPLUNK INC.
STEP 02 : Review the search results for the new search. The new search looks for
authentication failure events associated with the specific source.
fail* password src="10.1.21.153"
You can easily see all the raw events associated with this source host, identifying patterns of access attempts
and further evidence that there might be a malicious actor trying to access machines in your network.

© 2017 SPLUNK INC.
VISUALIZE AUTHENTICATION FAILURE ACTIVITIES :
STEP 03 : From the Fields sidebar, click the dest field. Click Top values by time.
In this exercise, visualize the search results for authentication failures associated with the host 10.1.21.153 to
quickly gain an understanding of how the attacker carried out the attempts to access internal servers.
The destination (dest) field tells you which systems this particular workstation is targeting. Based on the aggregate number of failed
login attempts,web_cloud_03, or a cloud web server, is the top targeted host with the most failed authentication attempts. Also, a
critical asset DATABASE-001 was targeted.
You can quickly visualize the failed attempts by the 10.1.21.153 host to access different destination hosts with the report created by
clicking Top values by time.

© 2017 SPLUNK INC.
STEP 04 : Review the visualization of failed attempts by the source host to access different
destinations over time.
The default visualization shows the activities visualized in a line chart. The visualization properties can be adjusted
to show activities by separating each destination host.

© 2017 SPLUNK INC.
STEP 05 : Click Line Chart and change the visualization type to Column/Bar
The Column/bar view allows you to easily distinguish the volume of failed authentication attempts by destination.

© 2017 SPLUNK INC.
STEP 06 : Click Format and click Yes for Multi-series Mode.
Multi-series mode displays a separate bar or column for each destination host.

© 2017 SPLUNK INC.
STEP 07 : Explore the visualization. Mouse over the different host names.
This visualization lets you quickly visualize the volume of attacks from the host 10.1.21.153 organized by
destination over time. With this visualization, you can identify the following aspects of the attack.
• The sequence of authentication attempts made by the attacker over time, relative to different assets.
• The interval and duration of activities, showing a periodic pattern of attempts by an attacker using the same
host over time.

© 2017 SPLUNK INC.
EXERCISE 2 : ASSESSMENT
This exercise walked you through visualizing the aggregated statistics into interactive charts, allowing you to
perform more detailed analysis over time and validate specific suspicious activity. With a clearer understanding of
the failed authentication attempts, you can determine that the failed authentication attempts were likely initiated by
a malware-infected host (10.1.21.153) probing the internal network.
CASE 01 : A series of brute force authentication attempts to multiple web service hosts.
CASE 02 : The attacks on the servers were carried out over two different time intervals. After the first series of attempts, the same
attack was repeated eight minutes later.
CASE 03 : Immediately after the first series of web server access attempts, the attacker attempted to access a more critical asset,
database server 001. The attacker only attempted to access the database server after probing the web servers.
With this analysis, you can identify the following elements that confirm this is a malicious attack on your organization :

© 2017 SPLUNK INC.
INVESTIGATE THE SOURCE HOST ACTIONS ON THE CRITICAL ASSET
STEP 01 : From the visualization of the workstation 10.1.21.153 activities, locate the events associated
with DATABASE-001 on the the chart and click the cluster of events on the visualization.
In this exercise, investigate specific combinations of source and destination activities between the workstation and
the DATABASE-001 server. This workflow continues from the visual analysis of the previous exercise.
Continue your investigation from the visualization in the previous exercise. Click the host DATABASE-001 to open
a secondary search into the specific activities from the source 10.1.21.153on the database server.

© 2017 SPLUNK INC.
STEP 02 : Review the search results for additional unexpected behavior.
The search results now show only activities between the 10.1.21.153 host and the DATABASE-001 server that
include authentication failures.

© 2017 SPLUNK INC.
EXPAND THE SEARCH FOR TARGETED ANALYSIS
STEP 03 : Modify the search to remove "fail* password" and see all activities with a "src=10.1.21.153" and a
"dest=DATABASE-001". Press enter or click Search.
To determine the full scope of activities between the 10.1.21.153 host and the DATABASE-001 server, expand the
search to determine if there was a successful authentication attempt after the failed authentication attempts you
already know about. In addition, you can identify which user accounts were used and which activities were
performed on the server.
Removing the search for "fail* password" expands the search to all types of activity between the source host
and destination server.

© 2017 SPLUNK INC.
The search results found other events between these hosts that add context to the activities between the two
hosts.

© 2017 SPLUNK INC.
STEP 04 : Examine the search results starting with the Fields sidebar. Click the
field COMMENTTEXT to review information about session information on the database
server. Click Yes to select the field.

© 2017 SPLUNK INC.
STEP 05 : Click the field SQLTEXT to review information about SQL queries run on the
database server. Click Yes to add the field to the selected fields.
Selecting these 2 fields, COMMENTTEXT, SQLTEXT, provides the detail information on what database activities
there were between these two hosts.

© 2017 SPLUNK INC.
FORMATTING EVENT FOR QUICK VERIFICATION
STEP 06 : In the Splunk search bar, append "| table _time, src, dest, user, COMMENTTEXT, SQLTEXT" to
the search.
Format the search results into a table to more easily analyze the important fields.
Focus your analysis on the most useful fields. Because DATABASE-001 is a database server,
the SQLTEXT and COMMENTTEXT fields contain valuable information. Include _time to review the sequence of
activity between the two hosts, and the user field to identify which user account is performing the activities.
Formatting the search results in a table allows you to easily follow the sequence of events over time.
src="10.1.21.153" dest="DATABASE-001" | table _time, src, dest, user, COMMENTTEXT, SQLTEXT (1) ADD / ENTER

© 2017 SPLUNK INC.
CASE 01 : The activities from the workstation indicate that an attacker used several different database credentials to
gain access to the database, including credentials from a privileged database user.
CASE 02 : After three failed authentication attempts, the attacker successfully logged in to the database as the ORACLE
user and successfully gained administrative privileges to the database and modified the user privileges for a third user.
CASE 03 : After the user privileges modification, you can identify clear signs of a transaction by the attacker in which
they accessed a restricted database table containing customer information.
EXERCISE 3 : ASSESSMENT
With the Splunk platform you can easily move from a detailed visualization to detailed raw events, allowing you to perform
exhaustive analysis and validate specific suspicious activities occurring between two hosts on your network. From this analysis you
can determine that an attack occurred and attackers are querying the database server for valuable information.

© 2017 SPLUNK INC.
More exercises to try at home!
http://splk.it/2HkqPd5 http://splk.it/2ovYwAuhttp://splk.it/2FcN1I4

© 2017 SPLUNK INC.
Investigation Session 2 - Endpoint
http://splk.it/2HkqPd5
Security Online
Experience
Hands on Session
Access URL :
Register to sign in.

© 2017 SPLUNK INC.
Investigation Session 3 - Network
http://splk.it/2ovYwAu
Security Online
Experience
Hands on Session
Access URL :
Register to sign in.

© 2017 SPLUNK INC.
Environment Access : ES Incident Management
https://bit.ly/2I6QXvk
Security Online
Experience
Hands on Session
Access URL :
SCREEN CAPTURE
(To be provided)

© 2017 SPLUNK INC.
Environment Access : ES Asset Investigator
https://bit.ly/2I6QXvk
Security Online
Experience
Hands on Session
Access URL :
SCREEN CAPTURE
(To be provided)

© 2017 SPLUNK INC.
Environment Access : ES Adaptive Response
https://bit.ly/2HPlQkG
Security Online
Experience
Hands on Session
Access URL :
SCREEN CAPTURE
(To be provided)

© 2017 SPLUNK INC.
Environment Access : ES Content Update
https://bit.ly/2HBGKGT
Security Online
Experience
Hands on Session
Access URL :
SCREEN CAPTURE
(To be provided)

Attend .conf18
.conf is Splunk’s premier education and thought leadership event for
thousands of IT and business professionals who are keen to use
machine data insights to find answers.
.conf18 | October 1 - 4, 2018
University | September 29 – October 1
Walt Disney World Swan and Dolphin Resort | Orlando, Florida
“.conf is an exciting collection of technical sessions, hands-on demos and social
networking with industry professionals and users. I can’t wait for .conf18.”
– Michael Deisher, Systems Analyst, Visa
Registration opens April 10th!
3 Days of Innovation
Keynotes with IT Visionary Thought Leaders
Partners who enhance the value of Splunk
Networking with Data Enthusiasts
Education Sessions
Hands-on Labs
Customer Success Studio
300+ Education Sessions
Business Analytics
Development
IoT
IT Operations
Security/Compliance/Fraud
Foundations

Security investigation hands-on workshop 2018

More Related Content

What's hot (19)

Similar to Security investigation hands-on workshop 2018 (20)

Recently uploaded (20)

Security investigation hands-on workshop 2018